RE: security enforcement - new monitor for winnt
Liu Die Yu, are you sure you don't want to be calling _snprintf
here? ;) And since CreateFileW can be called with a 32,767 byte file name,
I'm not sure what'll happen when you stuff it into a 200 byte buffer when
it's converted to multi-byte... Call me crazy, but I'd be a little hesitant
to run this in a production environment (even though it's at version 6.0)
Microsoft doesn't have a monopoly on buggy code with B0fs in it. ;)
This is a good idea though, hooking is neat. I'm not so sure I'd say
it's unprecedented. Using AppInit_DLLs to load a hook DLL is a pretty common
trick. Still, a nice hack.
.text:10001AEB ; int __stdcall My_CreateFileW(LPCWSTR
lpWideCharStr,int,int,int,int,int,int)
.text:10001AEB public My_CreateFileW
.text:10001AEB My_CreateFileW proc near ; DATA XREF:
DllMain(x,x,x)+47o
.text:10001AEB ; DllMain(x,x,x)+75o
.text:10001AEB
.text:10001AEB var_CD0 = byte ptr -0CD0h
.text:10001AEB var_8D0 = dword ptr -8D0h
.text:10001AEB var_8CC = dword ptr -8CCh
.text:10001AEB MultiByteStr = byte ptr -8C8h
.text:10001AEB Text = byte ptr -800h
.text:10001AEB lpWideCharStr = dword ptr 8
.text:10001AEB arg_4 = dword ptr 0Ch
.text:10001AEB arg_8 = dword ptr 10h
.text:10001AEB arg_C = dword ptr 14h
.text:10001AEB arg_10 = dword ptr 18h
.text:10001AEB arg_14 = dword ptr 1Ch
.text:10001AEB arg_18 = dword ptr 20h
.text:10001AEB
.text:10001AEB push ebp
.text:10001AEC mov ebp, esp
.text:10001AEE sub esp, 0CD0h
.text:10001AF4 mov [ebp+var_8D0], 0
.text:10001AFE call sub_100012EF ; _reg
.text:10001B03 test eax, eax
.text:10001B05 jnz loc_10001C42
.text:10001B0B lea eax, [ebp+var_CD0]
.text:10001B11 push eax
.text:10001B12 mov ecx, [ebp+arg_4]
.text:10001B15 push ecx
.text:10001B16 call sub_10001383
.text:10001B1B push 0 ; lpUsedDefaultChar
.text:10001B1D push 0 ; lpDefaultChar
.text:10001B1F push 0C8h ; cchMultiByte
.text:10001B24 lea edx, [ebp+MultiByteStr]
.text:10001B2A push edx ; lpMultiByteStr
.text:10001B2B push 0FFFFFFFFh ; cchWideChar
.text:10001B2D mov eax, [ebp+lpWideCharStr]
.text:10001B30 push eax ; lpWideCharStr
.text:10001B31 push 0 ; dwFlags
.text:10001B33 push 0 ; CodePage
.text:10001B35 call ds:WideCharToMultiByte
.text:10001B3B mov [ebp+Text], 0
.text:10001B42 lea ecx, [ebp+MultiByteStr]
.text:10001B48 push ecx
.text:10001B49 lea edx, [ebp+var_CD0]
.text:10001B4F push edx
.text:10001B50 call ds:GetCommandLineA
.text:10001B56 push eax
.text:10001B57 call sub_100010C9
.text:10001B5C push eax
.text:10001B5D push offset aCreatefileSSSS ;
"CreateFile:%s > %s ==> %s --> %s"
.text:10001B62 lea eax, [ebp+Text]
.text:10001B68 push eax
.text:10001B69 call _sprintf
.text:10001B6E add esp, 18h
.text:10001B71 mov [ebp+var_8D0], 0
.text:10001B7B jmp short loc_10001B8C
Cheers,
~x
> -----Original Message-----
> From: Liu Die Yu [mailto:liudieyuinchina@xxxxxxxxxxxx]
> Sent: March 29, 2004 11:35 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: security enforcement - new monitor for winnt
>
>
>
>
> i want to stop ie:
>
> writing EXE/CAB/LNK ... files,
>
> calling MSHTA.EXE to parse remote web pages,
>
> accessing files outside "favorites" and cache("content.ie5").
>
>
>
> i want to stop WSCRIPT.EXE from parsing files inside TEMP and cache.
>
>
>
> i want to stop the system running executable files located in
> TEMP and cache.
>
>
>
> afaik, i can stop ie 0day exploits by doing these things.
>
>
>
> so, i made this:
>
http://umbrella.name/winblox/
of course, free. and you can define your own rules easily(assuming you guys
know a bit about regular expression).
it's totally a new idea(afaik). so, not for operational uses.
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004